Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
git clone https://github.com/ollypwn/Certipy.git
python3 setup.py install
Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.
To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.
In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.
By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.
The find action will find certificate templates that are enabled by one or more CAs.
Find vulnerable templates
Use the -vulnerable parameter to only find vulnerable certificate templates.
Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.
Source: Penetration Testing